LExxB650 T2P CI+ hacking

[erdem_ua]

Hi,

I attach some tools for decrypting/encrypting the CIP firmware files and a plugin for disabling the RSA signature check.
Try them on your own risk I tested the tools but I didn't flash a patched firmware yet.

Hoo hooo hoo santa mprotect here gives new year present
Happy 2010 to all

[rubinho76]

Hello and happy new year,

with joys I have found that there is now a possibility to decrypt cip devices.
But I have problems to compile the decrypter.

Which are required so that packages compile succeeds ?

My System : Debian 5 x86
Installed Packages: make and GCC

Code: Select all

cip-update# make
gcc -O2 -Wall -pedantic -o decrypt_update decrypt_update.c -lcrypto
decrypt_update.c:8:25: error: openssl/evp.h: Datei oder Verzeichnis nicht gefunden
decrypt_update.c:9:25: error: openssl/rsa.h: Datei oder Verzeichnis nicht gefunden
decrypt_update.c:10:25: error: openssl/pem.h: Datei oder Verzeichnis nicht gefunden
decrypt_update.c: In function ?main?:
decrypt_update.c:103: warning: ISO C forbids nested functions
decrypt_update.c:103: error: expected ?=?, ?,?, ?;?, ?asm? or ?__attribute__? before ?*? token
decrypt_update.c:103: error: ?sha1? undeclared (first use in this function)
decrypt_update.c:103: error: (Each undeclared identifier is reported only once
decrypt_update.c:103: error: for each function it appears in.)
decrypt_update.c:104: warning: ISO C forbids nested functions
decrypt_update.c:104: error: expected ?=?, ?,?, ?;?, ?asm? or ?__attribute__? before ?*? token
decrypt_update.c:104: warning: ISO C90 forbids mixed declarations and code
decrypt_update.c:104: error: ?aes128cbc? undeclared (first use in this function)
decrypt_update.c:105: error: ?EVP_MD_CTX? undeclared (first use in this function)
decrypt_update.c:105: error: expected ?;? before ?keygen?
decrypt_update.c:106: error: expected ?;? before ?checksum?
decrypt_update.c:107: error: ?EVP_CIPHER_CTX? undeclared (first use in this function)
decrypt_update.c:107: error: expected ?;? before ?decrypt?
decrypt_update.c:108: warning: ISO C90 forbids mixed declarations and code
decrypt_update.c:131: error: ?RSA? undeclared (first use in this function)
decrypt_update.c:131: error: ?pubkey? undeclared (first use in this function)
decrypt_update.c:132: warning: ISO C90 forbids mixed declarations and code
decrypt_update.c:174: warning: implicit declaration of function ?strtoul?
decrypt_update.c:205: warning: implicit declaration of function ?OpenSSL_add_all_algorithms?
decrypt_update.c:210: warning: implicit declaration of function ?EVP_get_digestbyname?
decrypt_update.c:213: warning: implicit declaration of function ?EVP_cleanup?
decrypt_update.c:220: warning: implicit declaration of function ?EVP_get_cipherbyname?
decrypt_update.c:230: warning: implicit declaration of function ?EVP_MD_CTX_init?
decrypt_update.c:230: error: ?keygen? undeclared (first use in this function)
decrypt_update.c:233: warning: implicit declaration of function ?EVP_DigestInit?
decrypt_update.c:236: warning: implicit declaration of function ?EVP_MD_CTX_cleanup?
decrypt_update.c:244: warning: implicit declaration of function ?EVP_DigestUpdate?
decrypt_update.c:256: warning: implicit declaration of function ?EVP_DigestFinal?
decrypt_update.c:283: warning: implicit declaration of function ?EVP_BytesToKey?
decrypt_update.c:283: warning: implicit declaration of function ?EVP_md5?
decrypt_update.c:287: warning: implicit declaration of function ?EVP_CIPHER_CTX_init?
decrypt_update.c:287: error: ?decrypt? undeclared (first use in this function)
decrypt_update.c:289: warning: implicit declaration of function ?EVP_CipherInit?
decrypt_update.c:299: error: ?checksum? undeclared (first use in this function)
decrypt_update.c:304: warning: implicit declaration of function ?EVP_CIPHER_CTX_cleanup?
decrypt_update.c:318: warning: implicit declaration of function ?EVP_CipherUpdate?
decrypt_update.c:345: warning: implicit declaration of function ?EVP_CipherFinal?
decrypt_update.c:402: warning: implicit declaration of function ?PEM_read_RSAPublicKey?
decrypt_update.c:402: warning: comparison between pointer and integer
decrypt_update.c:420: warning: implicit declaration of function ?RSA_free?
decrypt_update.c:484: warning: implicit declaration of function ?free?
decrypt_update.c:484: warning: incompatible implicit declaration of built-in function ?free?
decrypt_update.c:487: warning: implicit declaration of function ?RSA_verify?
decrypt_update.c:487: error: ?NID_sha1? undeclared (first use in this function)
make: *** [decrypt_update] Fehler 1

Sorry for my english, translate by google

regards rubinho

Update:

with the package libssl-dev I get a little further

Code: Select all

make
gcc -O2 -Wall -pedantic -o decrypt_update decrypt_update.c -lcrypto
gcc -O2 -Wall -pedantic -o encrypt_update encrypt_update.c -lcrypto
arm-SamyGO-linux-gnueabi-gcc -O2 -Wall -o game/rsadis.so -s -shared disablesigcheck.c
make: arm-SamyGO-linux-gnueabi-gcc: Kommando nicht gefunden
make: *** [game/rsadis.so] Fehler 127

what is arm-SamyGO-linux-gnueabi-gcc ??? (Sorry... i'm a Tux Compiler Noob)

[arris69]

Hi,

I attach some tools for decrypting/encrypting the CIP firmware files and a plugin for disabling the RSA signature check.
Try them on your own risk I tested the tools but I didn't flash a patched firmware yet.

1. happy new year to all

tried different cip firmwares but no success, or do i miss the point?

Code: Select all

./decrypt_update T-CHUCIPDEUC/image/exe.img.sec exe.img
Decryption completed, CRC=0x43b976b9.
/decrypt_update T-CHUCIPDEUC/image/appdata.img.sec appdata.img
Decryption completed, CRC=0x5f2e612f.

cat T-CHUCIPDEUC/image/validinfo.txt
*007_exe.img_3724894e*011_appdata.img_04706d3d

../../Decompressors/unsquashfs-3.0 appdata.img
Major/Minor mismatch, filesystem on appdata.img is (26:0) <- ??????
I only support Squashfs 3.0 filesystems!  Later releases will support older Squashfs filesystems

mount -o loop -t vfat exe.img tt
ll tt
ls: Zugriff auf tt/?0??.? nicht m?glich: Eingabe-/Ausgabefehler
insgesamt 882429568                                            
-r-xr-xr-x 1 root root  436207622 1980-01-26 05:32 =?          
                                                     ? @                                                                     
                                                        ?.(?                                                                 
                                                            * ...

so, decoded images looks like some kind of "valid filesystems" but i think i missig something.
are the filesystems double crypted? endian madness?...

arris

[mprotect]

tried different cip firmwares but no success, or do i miss the point?

Code: Select all

./decrypt_update T-CHUCIPDEUC/image/exe.img.sec exe.img
Decryption completed, CRC=0x43b976b9.
/decrypt_update T-CHUCIPDEUC/image/appdata.img.sec appdata.img
Decryption completed, CRC=0x5f2e612f.

cat T-CHUCIPDEUC/image/validinfo.txt
*007_exe.img_3724894e*011_appdata.img_04706d3d
[/quote]
The CRC checksums are wrong. You're trying to decrypt a T-CHUCIPDEUC image, not a T-CHLCIPDEUC image. That's why you need to adapt the xor key. Then it should work.

[arris69]

...

The CRC checksums are wrong. You're trying to decrypt a T-CHUCIPDEUC image, not a T-CHLCIPDEUC image. That's why you need to adapt the xor key. Then it should work.

thnx.
i'll get a bit crazy with all the different f.. T-......

arris

as notice: in static void xor()

Code: Select all

        /* static const unsigned char *key = (unsigned char *) "T-CHLCIPDEUC"; */
        static const unsigned char *key = (unsigned char *) "T-CHUCIPDEUC";

[rubinho76]

It is possible the same firmware (2006) to flash twice (Primary and Alternate)

I shoot the 2004 FW

regards Rubinho

[erdem_ua]

I wanted to ask mprotect that, what If we leave signature area null at re-encrypted file? Is kernel complain about that?
Or it is only check executables and kernel modules instead of whole image? And doesn't understand encryption code at Salt. Why don't we use "SamyGO__" as salt?

If kernel does not check this signature area (If's safe to leave this signature area empty), than I could release SamyGo Firmware Patcher v0.16 with CI+ device support at sunday.
It's good to have AutoStart script or enabling telnet at boot for CI+ dvices. But not wait exeDSP VideoAR hacks on CI+ devices (yet).
Thanks.

[mprotect]

I wanted to ask mprotect that, what If we leave signature area null at re-encrypted file? Is kernel complain about that?
Or it is only check executables and kernel modules instead of whole image? And doesn't understand encryption code at Salt. Why don't we use "SamyGO__" as salt?

AFAIk the signature is used only at flashing time. The checksum validated using the signature is calculated over the xor encrypted firmware. The checksums for runtime firmware verification seems to be generated by the TV after flashing.
Why should I uses SamyGO__ as salt?

[erdem_ua]

AFAIk the signature is used only at flashing time. The checksum validated using the signature is calculated over the xor encrypted firmware. The checksums for runtime firmware verification seems to be generated by the TV after flashing.
Why should I uses SamyGO__ as salt?

Answer of that salt question is nothing but my personal taste, because encryption is not important for us...

About flashing modified firmware. It isn't possible to flash TV with encrypt_update programs output, right?
Because it leaves null signature at encrypted FW image, and this will generate error at flash time. Or I am wrong about it?

And if checksums are generated after flashing, than we can hack exeDSP via IDA as at CI devices (like for implementing Video ARFix.)